/dev/dri/* is a special case that the shell (or lightdm, whichever runs as root) needs to handle. Same goes for other desktop devices like audio, webcams etc.
This makes me think it has already been done by virtue of logging in by lightdm. So yeah, this would just be an over-confinement problem to be fixed per app. Although each app having to know the details of every device that every graphics driver might ever need doesn't seem like a great architectural choice...
/dev/dri/* is a special case that the shell (or lightdm, whichever runs as root) needs to handle. Same goes for other desktop devices like audio, webcams etc.
This makes me think it has already been done by virtue of logging in by lightdm. So yeah, this would just be an over-confinement problem to be fixed per app. Although each app having to know the details of every device that every graphics driver might ever need doesn't seem like a great architectural choice...